过名将三国驱动保护
#include<ntddk.h>#include<windef.h>
typedef struct _SERVICE_DESCRIPTOR_TABLE
{
unsigned int *ServiceTableBase;
unsigned int *ServiceCounterTableBase;
unsigned int NumberTableBase;
unsigned char *ParamTableBase;
}SERVICE_DESCRIPTOR_TABLE,*PSERVICE_DESCRIPTOR_TABLE;
extern PSERVICE_DESCRIPTOR_TABLE KeServiceDescriptorTable;
typedef NTSTATUS (*REALZWOPENPROCESS)
(
OUT PHANDLE ProcessHandle,
IN ACCESS_MASK AccessMask,
IN POBJECT_ATTRIBUTES ObjectAttributes,
IN PCLIENT_ID ClientId);
typedef NTSTATUS (*READVIRTUALMEMORY)(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG BufferLength,
OUT PULONG ReturnLength OPTIONAL);
typedef NTSTATUS (*WRITEVIRTUALMEMORY)(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
IN PVOID Buffer,
IN ULONG BufferLength,
OUT PULONG ReturnLength OPTIONAL
);
REALZWOPENPROCESS RealZwOpenProcess;
READVIRTUALMEMORY RealNtReadVirtualMemory;
WRITEVIRTUALMEMORY RealNtWriteVirtualMemory;
//***************************************************************************
VOID Hook();
VOID Unhook();
VOID OnUnload(IN PDRIVER_OBJECT DriverObject);
NTSTATUS rc;
//NTSTATUS rc1;
//NTSTATUS rc2;
DWORD bix,tiao;
//////////////////////////////////////
ULONG JmpAddress;//跳转到NtOpenProcess里的地址
ULONG JmpAddress1;
ULONG JmpAddress2;
ULONG OldServiceAddress;//原来NtOpenProcess的服务地址
ULONG OldServiceAddress1;
ULONG OldServiceAddress2;
//////////////////////////////////////
__declspec(naked) NTSTATUS __stdcall MyNtOpenProcess(PHANDLE ProcessHandle,
ACCESS_MASK DesiredAccess,
POBJECT_ATTRIBUTES ObjectAttributes,
PCLIENT_ID ClientId)
{
//RealZwOpenProcess=(REALZWOPENPROCESS)OldServiceAddress;
//rc = (NTSTATUS)(REALZWOPENPROCESS)RealZwOpenProcess( ProcessHandle, DesiredAccess, ObjectAttributes, ClientId );
__asm{
push 0C4h
push 804daab0h//共十个字节
mov eax,80538d00h
call eax
jmp
}
}
__declspec(naked) NTSTATUS __stdcall MyNtReadVirtualMemory(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG BufferLength,
OUT PULONG ReturnLength OPTIONAL)
{
//RealNtReadVirtualMemory=(READVIRTUALMEMORY)OldServiceAddress1;
//rc1 = (NTSTATUS)(READVIRTUALMEMORY)RealNtReadVirtualMemory( ProcessHandle, BaseAddress, Buffer, BufferLength,ReturnLength);
__asm{
push 1Ch
push 804da4e0h//共十个字节
mov eax,80538d00h
call eax
jmp
}
}
__declspec(naked) NTSTATUS __stdcall MyNtWriteVirtualMemory(
IN HANDLE ProcessHandle,
IN PVOID BaseAddress,
OUT PVOID Buffer,
IN ULONG BufferLength,
OUT PULONG ReturnLength OPTIONAL)
{
//RealNtWriteVirtualMemory=(WRITEVIRTUALMEMORY)OldServiceAddress2;
//rc2=(NTSTATUS)(WRITEVIRTUALMEMORY)RealNtWriteVirtualMemory(ProcessHandle, BaseAddress, Buffer, BufferLength,ReturnLength);
__asm{
push 1Ch
push 804da4f8h//共十个字节
mov eax,80538d00h
call eax
jmp
}
}
NTSTATUS DriverEntry(IN PDRIVER_OBJECT DriverObject,PUNICODE_STRING RegistryPath)
{
DriverObject->DriverUnload = OnUnload;
DbgPrint("Unhooker load");
Hook();
return STATUS_SUCCESS;
}
/////////////////////////////////////////////////////
VOID OnUnload(IN PDRIVER_OBJECT DriverObject)
{
DbgPrint("Unhooker unload!");
Unhook();
}
/////////////////////////////////////////////////////
VOID Hook()
{
ULONG Address;
ULONG Address1;
ULONG Address2;
Address=(ULONG)KeServiceDescriptorTable->ServiceTableBase+0x7A*4;
Address1=(ULONG)KeServiceDescriptorTable->ServiceTableBase+0x0ba*4;
Address2=(ULONG)KeServiceDescriptorTable->ServiceTableBase+0x115*4;
DbgPrint("Address:0x%08X",Address);
DbgPrint("Address1:0x%08X",Address1);
DbgPrint("Address2:0x%08X",Address2);
OldServiceAddress=*(ULONG*)Address;
OldServiceAddress1=*(ULONG*)Address1;
OldServiceAddress2=*(ULONG*)Address2;
RealZwOpenProcess=(REALZWOPENPROCESS)OldServiceAddress;
DbgPrint("OldServiceAddress:0x%08X",OldServiceAddress);
DbgPrint("OldServiceAddress1:0x%08X",OldServiceAddress1);
DbgPrint("OldServiceAddress2:0x%08X",OldServiceAddress2);
JmpAddress=OldServiceAddress+15;
JmpAddress1=OldServiceAddress1+12;
JmpAddress2=OldServiceAddress2+12;
//JmpAddress=2153521239;
DbgPrint("JmpAddress:0x%08X",JmpAddress);
DbgPrint("JmpAddress1:0x%08X",JmpAddress1);
DbgPrint("JmpAddress2:0x%08X",JmpAddress2);
__asm{//去掉内存保护
cli
moveax,cr0
andeax,not 10000h
movcr0,eax
}
*((ULONG*)Address) = (ULONG)MyNtOpenProcess;//HOOK SSDT
*((ULONG*)Address1) = (ULONG)MyNtReadVirtualMemory;
*((ULONG*)Address2) = (ULONG)MyNtWriteVirtualMemory;
__asm{//恢复内存保护
moveax,cr0
or eax,10000h
movcr0,eax
sti
}
}
VOID Unhook()
{
ULONGAddress;
ULONGAddress1;
ULONGAddress2;
Address = (ULONG)KeServiceDescriptorTable->ServiceTableBase + 0x7A * 4;//查找SSDT
Address1=(ULONG)KeServiceDescriptorTable->ServiceTableBase+0x0ba*4;
Address2=(ULONG)KeServiceDescriptorTable->ServiceTableBase+0x115*4;
__asm{
cli
moveax,cr0
andeax,not 10000h
movcr0,eax
}
*((ULONG*)Address) = (ULONG)OldServiceAddress;//还原SSDT
*((ULONG*)Address1) = (ULONG)OldServiceAddress1;
*((ULONG*)Address2) = (ULONG)OldServiceAddress2;
__asm{
moveax,cr0
or eax,10000h
movcr0,eax
sti
}
DbgPrint("Unhook");
}
逐字逐句地看完这个帖子以后,我的心久久不能平静
页:
[1]